Experts: FFIEC Guidance Falls Short
New Authentication Directives Don't Address Emerging Risks
Six months after a draft update of the Federal Financial Institutions Examination Council's online authentication guidance was accidentally disclosed, the formal update is finally here. [See NCUA Disclosed FFIEC Draft.] And industry experts are disappointed with what they see. [See FFIEC Authentication Guidance: First Analysis.]
Specifically, critics point to the lacking mention of mobile banking, implications for call centers, future threats and specifics about how institutions should protect their online customers. [See FFIEC Draft Guidance: Where's Mobile?.]
"Banks still relying on the basic challenge questions [out-of-the-box for products like RSA's Adaptive Authentication] need to have a plan in place to replace these with stronger authenticators," says risk assessor David Shroyer, a former executive at Bank of America.
"This has big implications in the call centers as well," says Shroyer, who recently co-founded Fraud Red Team, which provides risk assessments on identity, authentication and fraud for financial institutions. "Unfortunately, the guidance doesn't say this."
Issued June 28, the formal supplement to the October 2005 "Authentication in an Internet Banking Environment" guidance has been one of the financial industry's most anticipated documents. Shroyer says bankers "live and die" by the guidance. "They look to guidance to determine what technology investments they will make," he says. "The guidance now calls for MFA [multifactor authentication] for commercial customers. This is very good, but is a day late and a dollar short. Banks need to see the bigger picture of the guidance. MFA alone for commercial customers isn't enough. It must also include the other components of layered security, which is implied in the guidance, but not explicit."
The final supplement highlights the need for:
- Better risk assessments;
- Effective strategies for mitigating known online risks;
- Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]
'Wording is Wishy-Washy'
When compared with the December draft, only a few things have changed. First, less emphasis is placed on the need for multifactor authentication of retail or consumer account transactions. And regulators also toned down requirements for enhanced user authentication techniques, a change with which distinguished Gartner analyst Avivah Litan takes issue."Its wording is too wishy-washy, when it comes to delineating bank responsibility from customer responsibility," she says. "It uses words like 'could have prevented' or 'suggestion' too often. The regulators should be more matter-of-fact in setting out the guidelines and principles. For example, they should tell banks that they need to detect and stop money transfers that are clearly out-of-the-ordinary, when compared with the customer's established pattern of behavior."
Like Shroyer, Litan says the new guidance also is short-sighted, where threats related to emerging channels are concerned. "So, the FFIEC guidance does a good job of addressing today's and yesterday's threats and suggested techniques, but it is not sufficiently forward-looking," she says. "It spends a good amount of time and space on out-of-band authentication and transaction verification techniques, as it should, but does not sufficiently discuss what that should look like in the coming age of mobile banking from smart-phones or tablets."
Litan says the guidance should offer more suggestions for how banks should and can address emerging threats. "Two years from now, the guidance will be sorely out of date," she says.
As incidents of ACH and wire fraud linked to insufficient online authentication techniques have increased, financial institutions have looked to regulators to guide what should be considered "reasonable," when it comes to online security and protections that should be provided for commercial banking customers.
Legal disputes between banks and their commercial customers, such as the recently decided case between Michigan-based Experi-Metal Inc. and Comerica Bank, have only fueled the debate over liability and responsibility when financial losses result from fraud linked to online compromises. EMI sued Comerica for damages totaling more than $560,000 -- funds EMI lost after Comerica approved fraudulent wire transfers that totaled more than $1.9 million. [See Fraud Verdict: Opinions Vary.]
The Need for Guidance
"[The guidance] repeats, as it should, the fact that virtually every authentication technique can be compromised," Litan says. "The last FFIEC guidance in this area spent too much time on specific authentication measures and not enough on a layered security approach."George Tubin, a senior research director for TowerGroup, says the timing of the guidance is interesting, relative to the case between EMI and Comerica. "If you look at the technology that they are recommending in this new supplement and you look at the case with Experi-Metal, if Comerica had been using the technology recommended, it would have caught the fraud," Tubin says. "Based on the court ruling, I think banks will be held more accountable. But as long as the banks are following what's outlined here in this new FFIEC guidance, they will be covered. At least that's the way the court seems to have viewed it in this case."
In the EMI case, which favored the commercial customer, the court referenced existing FFIEC guidance in its ruling, saying Comerica's security standards were not sufficient or reasonable relative to existing FFIEC guidance for online authentication. [See Court Favors EMI in Fraud Suit.]
Tubin says the case shows that courts are turning to FFIEC guidance for an outline of what should be considered "reasonable" or "good faith" security, and bankers should take that very seriously. "What's being put here in this new guidance covers that," he says. "The court found that Comerica should have been monitoring the transactions. And as long as a bank has industry-acceptable technology, if they put forth the best effort, based on what the FFIEC recommends, then it does not seem that they will be held liable."
Layered security and anomaly detection will likely catch the fraud the small banks have been experiencing, Tubin says.
Regulator's View
National Credit Union Administration Chairwoman Debbie Matz says catching that fraud before it drains commercial accounts is precisely what regulators had in mind."Sophisticated hacking techniques and growing organized cyber-criminal groups are increasingly targeting financial institutions, compromising authentication mechanisms and security controls, and engaging in online account takeovers and fraudulent electronic funds transfers," Matz says. "The supplement updates supervisory expectations for effective member authentication mechanisms, layered security and other controls to combat growing identity theft attacks and online transaction frauds.
Matz adds that federally insured credit unions, like other institutions that fall under regulatory scrutiny, will be expected to adopt strategies from the supplement to strengthen and enhance controls by January 2012. "Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined," she says.
Other regulatory agencies that make up the FFIEC include: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision.
Vendors' Role?
That heightened scrutiny will likely mean more reliance on third-party service providers. Shroyer says vendors will have to help banks quickly determine the best routes to pursue. "Banks will now be graded on both the existence and effectiveness of their layered security controls, which requires front-door authentication, in-flight transaction protection and backdoor fraud detection," he says.Tiffany Riley of Guardian Analytics, which provides online security and fraud-prevention solutions, says layered security will be the new focus for vendors and their banking institution customers. "We think the supplemental guidance is a positive step forward," she says. "The guidance supplement sets clear minimum expectations for a layered security program that we agree will help prevent online banking fraud. We've seen how effective behavior-based anomaly detection and transaction monitoring can be and know the industry will benefit from the FFIEC expecting this approach from all institutions."